Through libdb (libdb4.6 4.6.21-13ubuntu2 here), libnss_db seems to try and read a DB_CONFIG file in the current directory (instead of /var/lib/misc I suppose).

That's a security vulnerability because in the case of setuid or setgid commands, excerpts of the file are revealed to the calling user (and maybe more harm could be done with specially crafted DB_CONFIG files).

2010-03-04 18:52:51 -0800, Ulrich Drepper:
> That code isn't maintained for a decade or more. Nobody should have
> used that code since then and there certainly will be no code changes to
> obsolete, actively removed code.
[...]